Analysis
-
max time kernel
64s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
RFQ#2071466.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
RFQ#2071466.exe
Resource
win10v20201028
General
-
Target
RFQ#2071466.exe
-
Size
516KB
-
MD5
1ac5867a0b75d47c788950d1a273b83d
-
SHA1
4758d69b44dc4ea857a91b5401f6f9cb316679c6
-
SHA256
9c61e23500bd96aacabe33bf81afe48cddb5bb6bfa61366ba663dff5f58f5034
-
SHA512
5c1141cecdf7f55d3c7f9d6c8ab14b0a7c1b3f9f1532c401cd22454cc95108926603364466df6ab7c8968f6ad6d19e566d7348cc18c1b834e545ba41df1504e4
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RFQ#2071466.exepid process 3968 RFQ#2071466.exe 3968 RFQ#2071466.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RFQ#2071466.exedescription pid process Token: SeDebugPrivilege 3968 RFQ#2071466.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RFQ#2071466.exepid process 3968 RFQ#2071466.exe 3968 RFQ#2071466.exe